Research projects which gather or use information about living individuals must meet the requirements of the Data Protection Act, as well as ethical requirements. Data should be kept in a form that would enable retrieval by a third party, subject to limitations imposed by legislation and general principles of confidentiality. Researchers should consider how data will be gathered, analysed and managed, and how and in what form relevant data will eventually be made available to others, at an early stage of the design of the project. Researchers should collect data accurately, efficiently and according to the agreed design of the research project, and ensure that it is stored in a secure and accessible form. If research data is to be deleted or destroyed, either because its agreed period of retention has expired or for legal or ethical reasons, it should be done so in accordance with all legal, ethical, research funder and organisational requirements and with particular concern for confidentiality and security.
Data which have been collected previously by someone other than the researcher and anonymised and for which neither the researcher nor any other researcher at the University (nor anyone else involved in the project from outside the University) holds a code to identify individuals, or other information from which individuals might be identifiable. Examples include studies involving census data, administrative data, secondary analysis etc.
Studies using such previously collected anonymised data, that is non traceable, does not count as personal data, but still requires ethical review. Please contact the relevant ethics committee (BSREC or HSSREC) for further information on how to apply.
Personal data includes information about any living individual who can be identified, such as patients, health professionals, other staff, and suppliers. The information may be held in manual or electronic form, and so includes, for example, the contents of filing cabinets, medical records, videos, x-rays, and computer records.
Patient information is generally held under legal and ethical obligations of confidentiality. Information provided in confidence should not be used or disclosed in a form that might identify a patient without his or her consent. There are a number of important exceptions to this rule but it applies in most circumstances.
A duty of confidence arises when one person discloses information to another
(e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence.
- It is a legal obligation that is derived from case law
- It is a requirement established with professional codes of conduct
- It must be included within NHS employment contracts as a specific requirement linked to disciplinary procedures.
Patients entrust and allow the NHS to gather sensitive information relating to their health and personal matters as part of seeking treatment. They do so in confidence and they have the legitimate expectation that staff will respect this trust. Even if a patient is unconscious, this does not diminish the duty of confidence. It is essential, if the legal requirements are to be met and the trust of patients is to be retained, that the NHS provides, and is seen to provide, a confidential service.
Key maxims for all staff to follow are that:
- Patients should be fully informed about how their information may be used. There are strict conditions under which personal data may be disclosed. In particular, certain disclosures are not allowed without express consent.
- Individuals have the right to see what information is held about them, and to have any errors corrected.
- Personal data should be kept secure and confidential at all times.
- Personal information should be anonymised wherever and whenever possible.
- The legitimate use, disclosure or sharing of personal data does not constitute a breach of confidentiality.
- Sharing between The University can take place with appropriate safeguards.
Sometimes a judgement has to be made about the balance between the duty of confidentiality and disclosure in the public interest. Any such disclosure must be justified.
Please see the University's Information Handling Procedure. Most of the requirements are common-sense precautions such as not divulging computer passwords, keeping manual records secure, and guarding against people seeking information by deception (for example, over the telephone) - all of which will be detailed in local policies, procedures and guidance. If anyone is in doubt, they should refer to this and other policies and procedures, and if still in doubt ask their line manager.